Toyotas Are Better Than Audis Because Toyota’s Vendor Risk Management Is Better

April 9, 2015

Last Updated on January 19, 2024

It’s always interesting to me to see how different industries handle vendor risk management. Often when we see a wave of leads/opportunities from a particular industry, we can trace it to new vendor risk management practices (or a new RFP of note) that hit the streets referring to a particular information security framework.
The last few months we have seen a fair amount interest in information security in the automotive suppliers vertical. It looks as though the major auto suppliers’ vendor risk management practices are ratcheting up. Not surprisingly given the growing penetration of ISO 27001 certification in Japan, it appears that the major Japanese automobile manufacturers are pushing key vendors to move towards ISO 27001. For example, we recently had the opportunity to help an automotive supplier get ISO 27001 certified to meet a contractual obligation with Toyota.
Meanwhile, today I was exposed to the “Verband der automobilindustrie” (VDA) Information Security Assessment questionnaire, which Audi had issued to a potential client of ours. The questionnaire is interesting: VDA selected 51 of the 134 controls in ISO 27002:2005, and the questionnaire requires a vendor to assess their maturity for each control on a 0-to-5 scale (Incomplete -> Optimized).
I’m a bit of a fan of Capability Maturity Modeling, so I was intrigued to see it used in conjunction with ISO 27002 in this way. However, I was disappointed that there was no indication of the rationale (vendor risk assessment?) for only assessing those 51 controls. I was also surprised that they were using a version of the standard that is outdated by almost two years.
So does this difference in approach by Audi and Toyota mean anything?
Logically, the quality of an automaker’s vendor risk management practices should correlate with the quality of their cars. Toyota is holding vendors to the current gold standard in attestation (ISO 27001), and their Lexus nameplate finished in first place in the 2015 J.D. Power Vehicle Dependability study by a wide margin. The Toyota brand finished in third place—pretty remarkable.
Audi, which is using 38% of an outdated version of ISO 27002 for its vendor risk management, finished in fifteenth place. Just saying …

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Toyotas Are Better Than Audis Because Toyota’s Vendor Risk Management Is Better

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security